Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 36

Thread: Rogue AV/AS prolific

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Police arrest Ransomware cybercriminals ...

    FYI...

    Police arrest Ransomware cybercriminals
    - http://blog.trendmicro.com/trendlabs...vity-nabbed-2/
    Feb 13, 2013 - "... Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON. The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates. The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia..."

    - http://news.yahoo.com/spain-busts-ra...201859529.html
    Feb 13, 2013 - "... The gang, operating from the Mediterranean resort cities of Benalmadena and Torremolinos, made at least €1 million ($1.35 million) annually... The 27-year-old Russian alleged to be the gang's founder and virus developer was detained in the United Arab Emirates at the request of Spanish police while on vacation and an extradition petition is pending, Martinez said. Six more Russians, two Ukrainians and two Georgians were arrested in Spain last week... Money was also stolen from the victims' accounts via ATMs in Spain, and the gang made daily international money transfers through currency exchanges and call centers to send the funds stolen to Russia. Spanish authorities identified more than 1,200 victims but said the actual number could be much higher. The government's Office of Internet Security received 784,000 visits for advice on how to get rid of the virus. Those arrested face charges of money laundering, participation in a criminal operation and fraud."

    - http://h-online.com/-1803788
    14 Feb 2013

    Last edited by AplusWebMaster; 2013-02-14 at 20:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation DHS-themed Ransomware in the wild

    FYI...

    DHS-themed Ransomware in the wild
    - https://www.us-cert.gov/ncas/current...med-Ransomware
    Last revised: March 22, 2013 - "US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware... US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages..."

    Screenshot: http://news.softpedia.com/newsImage/...somware-2.jpg/
    March 21, 2013

    - http://www.reuters.com/article/2013/...92K0Z920130321
    Mar 21, 2013

    Last edited by AplusWebMaster; 2013-03-22 at 17:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware leverages victims' browser histories for increased credibility

    FYI...

    Ransomware leverages victims' browser histories for increased credibility
    - https://www.computerworld.com/s/arti...ed_credibility
    April 1, 2013 - "... A new ransomware variant that employs this trick was spotted over the weekend by an independent malware analyst known online as Kafeine. Dubbed Kovter, this version stands out because it uses information gathered from the victim's browser history in order to make the scam message more credible, Kafeine said Friday in a blog post*. Kovter displays a fake warning allegedly from the U.S. Department of Justice, the U.S. Department of Homeland Security and the FBI, that claims the victim's computer was used to download and distribute illegal content. The message also lists the computer's IP address, its host name and a website from which the illegal material was allegedly downloaded. The malware checks if any of the sites already present in the computer's browser history is present in a remote list of porn sites whose content is not necessarily illegal, and if there's a match, it displays it in the message. By using this technique and naming a site that the victim has actually visited as the source for the alleged illegal content, the ransomware authors attempt to increase the credibility of their message. If no match is found when checking the browser history against the remote list, the malware will just use a random porn site in the message... The authors of police-themed ransomware are constantly trying to improve their success rate and this is just the latest in a long series of tricks they have added. Some variants are actually using the computer's webcam, if one is present, to take a picture of the user and include it in the message in order to give the impression that the authorities are recording the user. Another variant gives victims a deadline of 48 hours to pay the made-up fine before their computer drive is reformatted and their data is destroyed. The average number of daily infection attempts with police-themed ransomware has doubled during the first months of 2013..."
    *Screenshot: https://d1piko3ylsjhpd.cloudfront.ne..._kovter_01.png

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware - Reveton.B ...

    FYI...

    Ransomware - Reveton.B...
    - https://www.net-security.org/malware_news.php?id=2497
    May 17, 2013 - "... Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds. It is being delivered on the victims' computer via the Blackhole exploit kit, and on the surface acts like it always did: locks the computer screen and demands money to unlock it:
    > https://www.net-security.org/images/...n-17052013.jpg
    ... in the background, the malware downloads a password-stealer component from its C&C server and runs it. "PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage," say* the researchers. "However, as it can load almost any DLL served by the C&C on the fly, this might change." Keeping your OS and software updates should minimize the possibility of being faced with malware, they say, but in case you do get hit by a Reveton infection, it's a good idea to change all your passwords once you remove the malware from the computer."
    * http://blogs.technet.com/b/mmpc/arch...l-pay-off.aspx

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Top 5 Fake Security Rogues of 2013

    FYI...

    Top 5 Fake Security Rogues of 2013
    - http://blog.webroot.com/2013/06/27/t...ogues-of-2013/
    June 27, 2013 - "We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money.
    Here are the top 5 rogues reported this year (Screenshots):
    System Care Antivirus: https://webrootblog.files.wordpress....irus.jpg?w=750
    Internet Security: https://webrootblog.files.wordpress....rity.png?w=736
    Disk Antivirus Professional: https://webrootblog.files.wordpress....irus.png?w=752
    System Doctor 2014: https://webrootblog.files.wordpress....2014.jpg?w=801
    AVASoft professional antivirus: https://webrootblog.files.wordpress....irus.jpg?w=796
    ... The most common install from fake Adobe update installers and malicious URLs linked from pictures that look like this:
    1) https://webrootblog.files.wordpress....pg?w=296&h=145
    2) https://webrootblog.files.wordpress....pg?w=560&h=145
    Once you click on images like this in the wild and receive the payload from the malicious URLs, you’ll have effectively given permission and installed the Rogue onto your computer.
    > https://webrootblog.files.wordpress....nter.jpg?w=869
    Don’t give them your credit card information.
    ... New variants of these rogues come out constantly so there are millions of unique signatures being dropped on computers everyday..."

    - https://blogs.technet.com/b/mmpc/arc...edirected=true
    27 Jun 2013

    Last edited by AplusWebMaster; 2013-07-06 at 14:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware targets Apple Mac OS X users

    FYI...

    Ransomware targets Apple Mac OS X users
    - http://blog.malwarebytes.org/intelli...ac-os-x-users/
    July 15, 2013 - "... Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.
    Screenshot: http://cdn.blog.malwarebytes.org/wp-...ansomware1.png
    The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords. Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.” A quick look at the address bar shows an interesting URL: fbi.gov.id657546456-3999456674.k8381 . com, the bad guys are clearly trying to fool users. If you choose to ignore the message (which you should), you cannot get rid of the page:
    > http://cdn.blog.malwarebytes.org/wp-...3/07/lock1.png
    If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle... There -is- a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”:
    > http://cdn.blog.malwarebytes.org/wp-...3/07/reset.png
    Make sure all items are marked and hit the Reset button:
    > http://cdn.blog.malwarebytes.org/wp-.../07/reset2.png
    You can bet many people are going to fall for this scam and pay the ransom money, filling the bad guys’ pockets. Whenever alarming messages are displayed, it is important to take the time to review them, call a friend or talk to someone about it. The bad guys know how to use social engineering to entice victims as, for example, I was lead to this locked page by doing a search for Taylor Swift on Bing images. The victim will feel they may have actually being doing something wrong and got caught and ashamed, will pay the “fine.” This scam is unfortunately all too efficient and is not going away anytime soon. Watch this tutorial* on how to get rid of the FBI ransomware for OS X..."
    * http://www.youtube.com/watch?v=Ip6tvti4UjU
    ___

    - https://www.ic3.gov/media/2013/130718-2.aspx
    July 18, 2013

    Last edited by AplusWebMaster; 2013-07-19 at 15:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation DHS-themed ransomware - in the wild

    FYI...

    DHS-themed ransomware - in the wild...
    - https://www.us-cert.gov/ncas/current...somware-UPDATE
    July 30, 2013 - "US-CERT has received reports of increased activity concerning an apparently DHS-themed ransomware malware infection occurring in the wild. Users who are being targeted by the ransomware receive a message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. One iteration of this malware also takes a webcam (if available) photo or video of a recipient and posts it in a pop-up to add to the appearance of legitimacy. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomlock malware changes Windows Login Credentials

    FYI...

    Chinese Ransomlock malware changes Windows Login Credentials
    - http://www.symantec.com/connect/blog...in-credentials
    21 Aug 2013 - "... new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked. This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation) so that once the computer has restarted, and the user is unable to log in, they will see the account name/message and contact the user ID in order to get the new password.
    Login screen with changed account name after system restart
    > https://www.symantec.com/connect/sit...gure1_Edit.png
    If the victim contacts the provided user ID, who is more than likely the malware author, they will see a statement on the profile page asking for approximately 20 Chinese Yuan (US$3.25). The statement says that the login password will be sent as soon as the money is received and that if the malware author is pestered by the user they will be blocked. Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:
    1. Use password “tan123456789” to log into the system and reset the password (as mentioned before, this might -not- always work as the password may be changed by the malware author)
    2. Use another administrator account to log into the system and reset the password
    3. If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password
    4. Use Windows recovery disk to reset the password."
    ___

    Spear-Phishing E-mail with Missing Children Theme
    - https://www.us-cert.gov/ncas/current...Children-Theme
    August 22, 2013 - "The FBI is aware of a spear-phishing e-mail appearing as if it were sent from the National Center for Missing and Exploited Children. The subject of the e-mail is "Search for Missing Children," and a zip file containing 3 malicious files is attached. E-mail recipients should always treat links and attachments in unsolicited or unexpected e-mail with caution."

    Last edited by AplusWebMaster; 2013-08-22 at 20:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Cryptolocker ransomware ...

    FYI...

    Cryptolocker ransomware
    - http://arstechnica.com/security/2013...0-in-bitcoins/
    Oct 17 2013 - "Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker. It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings. Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available..."
    > http://cdn.arstechnica.net/wp-conten...t1-640x498.jpg

    Cryptolocker Prevention Kit
    - http://www.thirdtier.net/2013/10/cry...revention-kit/
    Oct 14, 2013 - "The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious we’ve decided to make these materials available to everyone. The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. We have also provide GPO settings that you can important into your environment. We’ve zipped it up into a single file. Download it now*"
    * http://www.thirdtier.net/downloads/C...ventionKit.zip
    ___

    - http://atlas.arbor.net/briefs/index#1331587000
    High Severity
    21 Oct 2013
    The CryptoLocker ransomware has been popular lately. Several serious outbreaks have taken place and this threat is harder to recover from unless proactive measures have been taken.
    Source: http://nakedsecurity.sophos.com/2013...-and-recovery/

    - http://windowssecrets.com/top-story/...nicious-virus/
    Oct 23, 2013

    - https://isc.sans.edu/diary.html?storyid=16871
    Last Updated: 2013-10-22 14:09:38 UTC

    CryptoLocker: Its Spam and ZeuS/ZBOT Connection
    - http://blog.trendmicro.com/trendlabs...ot-connection/
    Oct 21, 2013 - "... the CryptoLocker malware that not only blocks accessing to the system, but also forces users to buy a $300 decrypting tool by locking or encrypting specific files in the system. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function. Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and came across with a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):
    (Screenshot of spam with malicious attachment)
    > http://blog.trendmicro.com/trendlabs...yptolocker.jpg
    Once this attached file is executed, it connects to a URL to download another file, which is saved as cjkienn.exe (detected as TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).
    (CryptoLocker infection chain)
    > http://blog.trendmicro.com/trendlabs...ock_edited.jpg
    This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents... Although the ransom note only in CryptoLocker specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption. RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information). The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available. For information on which files are encrypted, users can check their system’s autostart registry.
    > http://blog.trendmicro.com/trendlabs...yptolocker.jpg
    ... It is also important for users to be cautious when opening any attachments from email messages coming from unknown sources. Email reputation service also blocks the spam related to this threat."

    CryptoPrevent Tool:
    - http://www.bleepingcomputer.com/viru...#cryptoprevent
    Oct 20, 2013

    Last edited by AplusWebMaster; 2013-10-24 at 18:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down GWload - Mass Injection making its rounds ...

    FYI...

    GWload - Mass Injection making its rounds ...
    - http://community.websense.com/blogs/...ts-rounds.aspx
    29 Oct 2013 - "... a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites... Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software. We see parallels of the injected websites with websites that were affected by the "cookiebomb" mass injection, which was mostly associated with delivering "ransomware" payloads...
    Number of injected web pages spotted in the last 7 days:
    > http://community.websense.com/cfs-fi..._5F00_days.jpg
    Users who browse to a compromised injected website are immediately redirected 'drive-by' style to a second compromised website that (a) effectively blocks all content of the legitimate website and (b ) shows them this notification: "VLC player is required for this website, click DOWNLOAD NOW". VLC media player is a legitimate open source media player (the official page is located here*). However, VLC player is also known to be abused and bundled with some non-legitimate software, and this is the case with -all- the "VLC media player" installations that take part in this mass injection campaign... The lure - how content is 'locked' with conditional access; this is what the user sees when browsing to an injected website:
    > http://community.websense.com/cfs-fi...lashscreen.jpg
    ... If a user is convinced that it is necessary to download and run the file to access the website's content, then unexpected, -rogue- installations of software will commence on the user's machine... Looks like "VLC Player" Installation, but the small print allows for some extras:
    > http://community.websense.com/cfs-fi...plashcreen.jpg
    ... We noticed that this mass injection uses a social engineering trick that locks legitimate websites' content to lure potential victims to install applications that participate in Cost Per Action (CPA) advertising schemes. This change in tactics that occurred in the past two weeks coincides with the arrest of the Blackhole Exploit Kit author 'Paunch,' which could suggest that actors adapt to change rapidly to keep their attack going. It was also apparent that certain scripts used by actors to serve social engineering-based attack vectors are interchangeable across different attack platforms; we witnessed with 'GWload' that code that mostly was used in social engineering-based attacks on -Facebook- has now migrated and is used with mass injections..."
    * http://www.videolan.org/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •